DNSLookup Failed: No DNSKEY record

A client moved one of our domains under their control, and they have set Azure Nameservers so that we can still control the sub-domains etc. from the Azure portal.
This worked fine until the certificate expired and Cert-manager (Kubernetes) tried to re-issue.

My domain is:
I ran this command:
Issue certificate for dell-elo.com, cms.dell-elo.com, xr.dell-elo.com, server.dell-elo.com
It produced this output:
DNS response for dell-elo.com had fatal DNSSEC issues: validation failure <dell-elo.com. A IN>: No DNSKEY record from for key dell-elo.com. while building chain of trust



My web server is (include version):
Kubernetes 1.18.10, cert-manager 1.6.1
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Azure Portal and CLI
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
cert-manager 1.6.1

Hi there!

I'm not sure what your question to the Let's Encrypt Community is. Clearly DNSSEC is broken, which is an issue with greater impact than just getting a new certificate. At this moment, any DNSSEC enabled DNS resolver is unable to resolve this domain name at all, so this website will be down for any user with a DNSSEC enabled DNS resolver. Regardless the certificate.

The only thing I can advice is to fix the DNSSEC issue.


ok thanks, do you have any pointers about how I can resolve this?
I have a domain zone set up in Azure, so maybe there's something that can be added there?

This doc says DNSSEC is not supported in Azure. What are my options if that's the case?

1 Like

If DNSSEC is not supported by the authorative DNS servers, the DS resource record should be removed from the .com zone. This can done by the DNS registar.


Yes, it's working fine now. Thanks for the pointers, it was exactly what I needed to understand the issue


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.